CALIFORNIA
Regulators Fine Kaiser Unit $200,000
The state imposes the penalty for breaching patient confidentiality in
exposing
health records on the Web.
By Debora Vrana
Times Staff Writer

June 21, 2005

State regulators Monday fined a division of Kaiser Permanente $200,000
for exposing on the Internet the confidential health records of about
150 patients for as long as four years.

The nation's largest nonprofit health insurer began a test program to
make medical records of some of its members available electronically to
physicians, and to give members access to their own records over the
Internet.

But the Kaiser website in 1999 included confidential patient
information, such as addresses, phone numbers and lab tests, that was
available for public viewing. Oakland-based Kaiser did not remove the
site until it was brought to the attention of federal authorities in
January 2005, according to the California Department of Managed Health
Care.

And Kaiser told patients about the medical records just three months
ago, after it was reported in the media, the state said.

"Not only was this a grave security breach, Kaiser did not actively
work to protect patients until after they had been caught," said Cindy
Ehnes, director of the state agency. "We're imposing this fine because
we consider this act to be irresponsible and negligent at the expense
of members' privacy and piece of mind."

The $200,000 fine against Kaiser Foundation Health Plan is the largest
the state has imposed against a health insurer for a breach of patient
confidentiality violation, the agency said.

"It was an oversight and it will not happen again. We regret it," said
Rick Malaspina, a spokesman for Kaiser in Northern California. "We've
learned a lot from this."

Under state law, a health plan can be fined if it violates the
confidentiality of medical information, without first obtaining the
patient's authorization, state officials said. Kaiser Permanente, with
8.3 million members, reported first-quarter net income of $552 million
on revenue of $7.7 billion.

A former Kaiser Web coordinator, Elisa D. Cooper, 35, first brought the
security breach to the public's attention by posting links to the site
on her blog. The Berkeley resident then notified civil rights
authorities. Kaiser then sued her, accusing her of invasion of privacy
and breaking a confidentiality agreement; that suit is still pending in
Alameda County Superior Court. Cooper was let go by Kaiser in 2003.

"I'm glad to see this action," Cooper said Monday. "People don't
understand this information was there for years."

In April, state healthcare regulators issued a cease-and-desist order
against Cooper for linking to Kaiser's website and disseminating
confidential medical information.

Kaiser is in the midst of creating KP HealthConnect, an electronic
medical records center, that it hopes by 2007 will give doctors
up-to-the minute access to lab results and diagnostic images, and would
give members access to their own records on the Internet. The system is
designed to promote better healthcare and to reduce costs.

Although Kaiser promises the system will be designed to resist hackers
and be password protected, the recent security breach shows "just how
vulnerable these systems can be," said Beth Givens, director of the
Privacy Rights Clearinghouse, a nonprofit consumer group in San Diego.

"Many people are even more concerned about their medical information
being public than their financial information," she said. "There are
things in their records they don't even tell members of their own
families."